Display/Blog/The Compliance Case for Managed Gated Publishing
Blog·~7 min read

The Compliance Case for Managed Gated Publishing

When a security auditor reviews your internal content hosting — whether for SOC 2, ISO 27001, or a customer security questionnaire — they ask a standard set of questions:

TL;DR
DIY static hosting with auth (S3 + Cognito) works technically but fails under security audits: you own the evidence collection, incident response, and documentation. A managed service with its own SOC 2 cert reduces your compliance burden to "add to vendor register."

What auditors ask about internal hosting

When a security auditor reviews your internal content hosting — whether for SOC 2, ISO 27001, or a customer security questionnaire — they ask a standard set of questions:

Access control: Who has access to what? How is access granted and revoked? Is access based on individual identity or shared credentials?

Audit trail: When was content accessed, by whom, and from where? How long are access logs retained? Can you produce a log of who viewed a specific document on a specific date?

Data protection: Is content encrypted at rest and in transit? Where is it stored? What happens when a viewer's account is deprovisioned?

Vendor security: If this is a third-party service, what is their security posture? Do they have a SOC 2 report? What is their incident response process?

These aren't trick questions. They're the standard evidence set for any access control system. The difference between DIY and managed is who owns the answers.

The DIY compliance burden

When you build your own S3 + Cognito + Lambda@Edge stack, you own every audit question.

Access control documentation: You write the runbook. You document the Cognito user pool configuration. You document the Lambda@Edge auth logic. You document the IAM policies.

Audit trail: CloudTrail captures AWS API calls. To answer "who accessed this document on March 12th?", you query CloudTrail logs filtered by S3 GetObject for the relevant object key, cross-referenced with Cognito identity logs. This is doable. It requires someone who knows the query syntax and the data model.

Evidence collection: Before every audit cycle, you gather CloudTrail exports, Cognito user pool exports, access policy screenshots, certificate expiry documentation. This takes hours per audit.

Incident response: If a former employee's credentials weren't revoked and they accessed internal content after offboarding, you're responsible for detecting it, documenting the incident, and demonstrating the remediation.

Ongoing maintenance: Every time your Google Workspace configuration changes, every time your Cognito user pool needs an update, every time AWS deprecates a Lambda runtime version — your team maintains the infrastructure and documents the changes for the next audit.

The managed service answer

When Display is your vendor for internal content hosting:

Access control: Display's domain-restricted SSO is the access control system. Access is granted by email domain (anyone with @yourco.com) or by individual invite. Revocation: remove from the allow-list or deprovision their Google/Microsoft account — immediately effective.

Audit trail: Display maintains access logs. Your dashboard shows who viewed what and when. Enterprise plan includes exportable audit logs for compliance evidence.

Evidence collection: For your audit: link to Display's security page and SOC 2 report. Your audit answer: "Display is our vendor for internal content publishing. Here is their SOC 2 Type II report."

Incident response: If there's a security incident involving Display's infrastructure, they handle the detection, notification, and remediation. Your incident response process: notify Display and document that you did.

Ongoing maintenance: Zero. Display maintains the infrastructure, handles platform updates, and keeps the auth integrations current.

When DIY is still the right call

Specific cloud provider requirements: If your compliance framework mandates that all data reside in AWS GovCloud, or specifically in your own AWS account, a SaaS can't satisfy this requirement.

On-premise or VPC deployment: If your security team requires all internal tools to be deployed in your VPC with no data leaving your network, SaaS is not an option.

Maximum control over the auth flow: If you have custom authentication requirements — hardware token verification, device posture checks, specific IdP configurations — that a managed service doesn't support, DIY may be necessary.

Existing sunk costs: If you've already built and documented the DIY stack and it's running smoothly, the compliance benefit of switching may not outweigh the migration cost.

FAQ

Is Display SOC 2 certified?+

Display is working toward SOC 2 Type II certification. Current security posture: encrypted storage (Cloudflare R2), TLS in transit, tenant isolation, domain-restricted SSO, access log retention. Enterprise plan includes audit log access and custom data residency. Contact the team for the current security documentation.

Where is data stored?+

Display uses Cloudflare R2 for object storage, distributed globally on Cloudflare's network. Enterprise plan includes custom data residency if you need content stored in a specific region.

Can we get a BAA (HIPAA)?+

Not currently. Display is not designed for HIPAA-covered content. Do not publish PHI (Protected Health Information).

How do I include Display in our vendor security review?+

Contact Display via the security page to request a security questionnaire response, current security documentation, and any available compliance reports.

Publish your first artifact in 15 seconds.

Free tier. No credit card. One-time password auth for viewers on free, Google + Microsoft SSO on Teams ($49/month flat).

Get started free →See pricing
Related
What Is Gated Publishing?
~11 min · Category Definition
Vercel SSO vs. Display
~8 min · Comparisons
7 Ways Engineers Share HTML Files
~9 min · Category Definition
Display for Claude Code
· Landing page